freeipa admin password reset
Do not use cn=compat entry for your password changes. cn=compat is read-only compatibility tree which is automatically generated against the primary data tree in cn=accounts. Compat tree entries have no passwords.
Your problem is that you are trying to change password of an entry that is purposedly read-only and that is implemented via a plugin purposedly not providing a password field in the entries.
Related videos on Youtube
580farm
Updated on September 18, 2022Comments
-
580farm almost 2 years
I'm trying to figure out how to reset my freeipa3 admin password. I'm able to see the user when I search the domain:
[root@ipaserver ipa]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldapsearch -h localhost -ZZ -x -b uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com # extended LDIF # # LDAPv3 # base <uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # admin, users, compat, central.example.com dn: uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com objectClass: posixAccount objectClass: top gecos: Administrator cn: Administrator uidNumber: 1909600000 gidNumber: 1909600000 loginShell: /bin/bash homeDirectory: /home/admin uid: admin
and I found this only snippet (it seems) on the web for resetting my password.
When I try that however I get the following message:
[root@ipaserver ipa]# LDAPTLS_CACERT=/etc/ipa/ca.crt ldappasswd -ZZ -D 'cn=directory manager' -W -S uid=admin,cn=users,cn=compat,dc=central,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: No such object (32) Additional info: Failed to update password
Anyone with past experience with resetting the admin freeIPA server that might have some suggestions?
-
abbra over 8 yearsYou can reset the password for admin but you are doing it wrong -- you are attempting to use wrong LDAP object, the one which has no password associated and is merely a display. Think about eating a cake and looking at the picture of a cake. You are trying to eat a picture of a cake in your example above. All your IPA users are stored in cn=users,cn=accounts,dc=central,dc=example,dc=com subtree, not in cn=users,cn=compat,dc=central,dc=example,dc=com. Thus, your admin user is uid=admin,cn=users,cn=accounts,dc=central,dc=example,dc=com.